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Abstract. Trust is often conveyed through delegation, or through recommenda- 
tion. This makes the trust authorities, who process and publish trust recommen- 
dations, into an attractive target for attacks and spoofing. In some recent empiric 
studies, this was shown to lead to a remarkable phenomenon of adverse selec- 
tion: a greater percentage of unreliable or malicious web merchants were found 
among those with certain types of trust certificates, then among those without. 
While such findings can be attributed to a lack of diligence in trust authorities, or 
even to conflicts of interest, our analysis of trust dynamics suggests that public 
trust networks would probably remain vulnerable even if trust authorities were 
perfectly diligent. The reason is that the process of trust building, if trust is not 
breached too often, naturally leads to power-law distributions: the rich get richer, 
the trusted attract more trust. The evolutionary processes with such distributions, 
ubiquitous in nature, are known to be robust with respect to random failures, but 
vulnerable to adaptive attacks. We recommend some ways to decrease the vul- 
nerability of trust building, and suggest some ideas for exploration. 



1 Introduction 

Background. In analyzing security protocols, we often reason under the assumption 
that a protocol participant, say Alice, is honest. This assumption simply means that 
Alice acts just as prescribed by the protocol, and does not engage in any other avail- 
able runs. Such an assumption is sometimes justified, and sometimes not. When this 
assumption about Alice is made by another protocol participant, say Bob, then we say 
that Bob trusts Alice. The notion of protocol, according to which Alice is trusted to 
behave, is understood in the broadest sense of the word, as a general constraint on par- 
ticipants' behavior. E.g., a conversation protocol may consist of the requirement that 
the participants speak the truth, and Bob may trust Alice in that sense. While Alice's 
statements may be true or false, Bob's trust may go through many shades of gray, and 
through some nuances of other colors. Trust is dynamic, and can be many-valued. But 
note that it does not depend on any rules outside the specified protocol: e.g., a bank 
robbery protocol may involve a requirement that the robbers do not shoot at each other, 

so Bob may trust Alice in that sense. In any case, we write B — > A, where Bob is the 

r 

trustor, Alice is the trustee, is the entrusted protocol (constraint, property), and r is a 
trust rating, which quantifies the level of trust. 

In practice, this general notion of trust is usually restricted to some special cases: 
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- in web commerce, the seller and the buyer are trusted to act according to the es- 
tablished exchange protocols; more generally, trust plays an essential role in web 
services and service-oriented architectures at large; 

- in access control, various types of principals (people, machines, services, channels) 
may entrust each other with various actions, or they may delegate authorities for 
such actions to each other [21171 ; 

- in public key cryptography, it is useful to view keys as principals^, and to view the 
key hierarchies as trust relationships [3 19 2 413011 . 

- various peer-to-peer and business-to-business transactions are based on trust, and 
the corresponding networks require various types of trust infrastructure 19 141151231 . 

When social relations need to be analyzed, the modeling techniques often proceed 
from two different points of view: local and global. E.g. in economics, when the ques- 
tions of risk and utility are analyzed from a local point of view, they subsume under 
microeconomics; when they are analyzed from a global point of view, they fall under 
macroeconomics. Analyses of trust fall into two roughly analogous categories. 

Local analyses of the trust relationship B — > A are largely concerned with the log- 
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ics of 0, i.e. with the reasoning whereby the trustor B conveys or justifies entrusting 
the trustee A with <t>. As explained above, the trust statements internalize principals' 
beliefs and interactions, and vary through different forms of uncertainty, which lead to 
nonstandard logical features and formalisms. The examples of this kind of approach 
include 1511011 1I17I20I211 . E.g., when trust is analyzed in strand spaces [ 10], a trust re- 

lationship B — > A is viewed on the level of a single send-receive interaction, where A is 

V 

the sender and B the receiver. This interaction is annotated by a statement <P, which the 
receiver B requires, and the sender A guarantees. By sending the message, A asserts <t>\ 
when he receives the message, B assumes <P. The statement that B trusts A thus means 
that B relies on A for 0. 

On the other hand, the global analyses of trust usually look at the trust networks 

<t> 

spanned by the trust relationships B — > A between the members A, B ... of some set 

V 

of principals. While the local analyses focus on the logics of the entrusted properties 
<t>, the global analyses focus on the network structure and traffic dynamics leading to 
trust, and arising from it. The examples include [4 9 19 24 30 1 . In some cases [9], the 
entrusted properties are left implicit, because all trust relationships of interest concern 
the same <t> (e.g., <P(A) = 'A is a reliable merchant" or "A's keys are not compromised"). 
In other cases, the analyzed trust concerns boil down to two |3 19], or four [24] types 
of trust relationship, which are simply annotated by different types of arrows. Although 
the logics of trust have also been investigated in the context of trust networks 0121131 . 
many basic questions about trust dynamics remain widely open even when there is only 
one entrusted property. 

1 Statically, two principals knowing the same keys are indistinguishable by cryptographic 
means. Dynamically, they may be distinguishable, e.g., by the fact that at some previous mo- 
ment only one of them knew a particular key. Nevertheless, it is often useful and convenient to 
treat the keys as first-class citizens of cryptographic protocols, and to distinguish the principals 
only when necessary. 



Summary of the paper. We analyze dynamics of trust networks. It is driven by the 
users, who are trying to decide which web merchants to buy from, or in the Public Key 
Infrastructure model, which keys to use. The security problem for the user is that a trust 
authority, which she consults for trust recommendations, may be corrupt, just like any 
merchant, or any key. In order to decide which merchants to trust, the user must decide 
which recommenders to trust. And in order to decide which recommenders to trust, she 
must try some of the recommended merchants. The problem of the chicken and the egg 
arises. In order to protect herself, the user must not accept the trust recommendations 
passively, but needs to build up her private trust vectors, perhaps using some public 
recommendations on the way. While the public recommendations cover a broader range 
of trust objects and interactions, private trust vectors are less likely to be corrupt. 

In section|2] we present an abstract model of public trust networks. In section|3] we 
analyze dynamics of the private trust building and updating. In section [4] we spell out 
the conclusions. In section[5] we discuss the applications, and propose some ideas how 
to combine private trust vectors with public recommendations, towards more reliable 
trust decisions. 

Trust networks, as presented in section [2] consist of two components, echoing the 
distinction between the direct and indirect trust. This distinction is a common feature 
of most of the trust network models encountered in the literature |3 19 24 30 1. Enriched 
with additional features, our model can be instantiated to these richer models. However, 
in order to present a picture simple enough for our analyses, we also show how to ab- 
sorb, in a matrix form of a trust network, the chains of indirect trust, which is conveyed 
from one recommender to another, together with the direct trust, which is conveyed 
from the recommenders to the shops. 

In section[3] we show that, under reasonable assumptions, the process of trust build- 
ing asymptotically converges to a power-law distribution of trust vectors. This means 
that trust distributions have heavy tails of highly rated trust hubs. One consequence is 
that trust distributions are thus resilient to random perturbations. Another consequence 
is that they are vulnerable to adaptive attacks on their trust hubs. The proviso is that 
the cheaters do not wait too long with their deceit. In our trust model, this proviso is 
represented by the assumption that, the more trust a principal accumulates by acting 
honestly, the less likely it becomes that he will turn out to be dishonest. 

The conclusions are spelled out in section 0] Our analysis of trust dynamics applies 
both to users' private trust vectors, and to recommenders' public recommendations. 
Since the latter are open to attacks, and turn out to obey the vulnerable power law 
distributions, they should not be directly used for trust decisions, but combined with the 
private trust values. This suggestion is supported by the empiric evidence that the public 
trust vectors are often actually subverted!!). In section [5] we sketch some methods to 
combine public and private trust vectors, that need to be explored and evaluated in future 
research. 

2 Modeling trust networks 

In many communication networks, it is impossible, or unfeasible to fully authenticate 
and authorize all interactions. Trust networks provide a supplementary service of par- 



tial authentication or authorization. In many cases, authentication is bootstrapped by 
incrementally strengthening trust. 

We begin by an informal description of the conceptual components of a trust net- 
work, and later provide the formal definitions. To determine thoughts, we first present 
the special case of a web shopping scenario. A shopper visits a virtual network of web 
merchants. If she has no prior experience with it, she can seek advice from some recom- 
menders. Denote the set of merchants by J and the set of recommenders by U. The rec- 
ommenders record and process the merchant ratings, submitted by the users after their 
interactions with the merchants. From these ratings, the recommenders derive their rec- 
ommendations, and publish them as trust certificates. A trust certificate c is represented 
by an expression in the form u — > i, where u e U is a recommender, i e J a mer- 

r 

chant, and r is the trust rating in a previously agreed rating scale R. A recommendation 
network A is spanned by such certificates. 

c 

In addition to the merchant recommendation certificates u — > i, a recommender 

r 

e 

u may issue the endorsement certificates u — > v, where v is another recommender. 

r 

The endorsement certificates span an endorsement network E. The endorsement chains, 
represented by the paths through the endorsement network, allow analyzing the subtle 
problems of transitivity of trust. 

We call trust network a pair T = (A, E), where A is a recommendation network, and 
E is an endorsement network over the same set U of recommenders. Trust networks can 
be presented in many slightly different ways, but they all model the public infrastructure 
of trust. 

Besides the shopping scenarios, trust networks also model the Public Key Infras- 
tructures (PKI). In this interpretation, the trust authorities «eU are not recommenders, 
but simply keys. The endorsements u — > v between them are now the delegation certifi- 

r 

cates. The objects of trust i e J do not represent the web merchants any more, but the 

c 

bindings between some principals' identities and their keys. A recommendation u — > i 

r 

is now a binding certificate for i, signed by u. More details about this interpretation, and 
about other presentations of trust networks, can be found in [3 19 24 30 1. 
We proceed with the formal definitions. 

2.1 Recommendation networks 

A recommendation (certificate) network is an edge-labelled bipartite graph 

A = (R B ®£ UxJ) 

where 

- J is a set of objects, 

— U is a set of trust authorities, or recommenders, 

— B is a set of certificates, or recommendations, and 

- R is a set of values, usually an ordered rig, where the trust ratings are evaluated. 



A recommendation (certificate) u — > z is thus represented by an edge c e B of the 

r 

graph, with the source node <9(c) = u and the target node g(c) = i. The value r = b(c) 
is the trust rating assigned to i by u's recommendation c. The same recommender u 
may issue several recommendations c\,C2 ■ ■ ■ for the same object i, with the same or 
different trust ratings; he may also revoke some of them. The use of these multiple 
recommendations may be regulated by various policies, summing up or averaging the 
ratings, validating only the last one, and so on. For simplicity, in the present paper 
we assume that each trust authority takes care for this, and publishes at each point 
in time at most one recommendation for each object, which sums up (or averages) 
all its valid recommendations for that object. This allows us to conveniently reduce 
recommendation networks to matrices A = (A B! )uxJ> where 

A,„ = ]TMc) 

u — *(' 

The summation is taken in the rig structure of R. A rig R = (R, +, -,0, 1) is a "ring 
without the negatives". This means that (R, +, 0) and (R, •, 1) are commutative monoidsj 
satisfying a(b + c) — ab + ac and 0a = 0. The typical examples include natural numbers 
N, non-negative reals R+, but also distributive lattices, which in general cannot be em- 
bedded in a ring. For concreteness, we shall work mostly with R = N or R = R+, i.e. 
assume that the trust ratings are nonnegative real numbers. It should be noted, however, 
that in some concrete applications more general rigs are needed, e.g. of polynomials or 
affine functions over R+. 

On the other hand, if the idea that our trust ratings have no upper bound seems 
strange, the reader can translate all our constructions to the interval R = [0, 1], with the 
rating function /3 : B — »- [0, 1 ] set to 

P(c) = 1 - 2- h(c) 

The inverse transform is b(c) = - log 2 (1 -J3(c)). Being able to switch between these 
two equivalent views is useful because each simplifies different aspects of rating: the 
ratings over R + are simpler when there are several parallel recommendations, which 
we want to add up, whereas the ratings over [0, 1] are simpler when there is a chain of 
recommendations, and we want to multiply them. 

Remarks. While R + and [0, 1] are just special cases of R, one could also raise the 
opposite objection, that they are needlessly general, since most real systems accept and 
generate their ratings over some very simple lattice (such as ★ < ★★ < ★★★). But data 
analysis is never performed within that lattice. E.g., if the ratings are derived from users' 
feedback, then they usually need to be balanced, before they are entered in the same data 
set, because some users tend to rate more generously than others. In some other cases, 
the ratings need to be normalized into a given interval. So the rig operations are usually 
necessary. On the other hand, in relational data analysis, R is the boolean algebra {0, 1 }, 
and the full ring structure is not given. So rigs are a reasonable compromise for general 
explorations. 

2 Rigs are sometimes called semirings. But it seems more reasonable to call semiring an algebra 
R = (R, +, •) where (R, +) and (R, •) are semigroups, satisfying a(b + c) = ab + ac. 



2.2 Endorsement networks 



We model an endorsement network as an edge-labelled graph 

E = (R J- D UxU) 
where an endorsement (certificate) u — > v is represented as element e e D with 5(e) = u 

r 

and £>(e) = v. The trust rating r = d(c) this time quantifies u's endorsement of v. Like 
before, we reduce this network to a matrix E = tE KV )uxU» where 

E uv = 2] d(e) 

w — >v 

Abstractly, an endorsement network is similar to some of the popular network mod- 
els, used for analyzing protein interactions, the Web, social groups, etc. (Cf. 0181271 . 
and the references therein.) Its dynamics can always be analyzed in terms of promotion, 
discussed in ||28l . In that paper, path completions were introduced to allow analyzing 
the multi-hop network interactions within a simple matrix framework. Here, they will 
allow us to analyze chains of trust in a similar framework. 

2.3 Path completions of endorsement networks 

To some extent, trust is transitive: if u trusts w, and w trusts v, then u can accept some 
reliance on v. But not too much. Depending on the level of risk, and the presence of al- 
ternatives, u might prefer to avoid indirect trust. And in any case, it would be unwise for 
her to rely upon someone removed from her by 20 trustees of trustees of trustees. . . Can 
we capture such subtleties without complicating the model? 

A chain or path u —* v in an endorsement network £ is a sequence of links u % 
w\ — » W2 —>••■—> v. Given an endorsement network E, we would like to define 
another such network E # over the same set of recommenders, but with the chains of 
the endorsement certificates as the new endorsement certificates. The naive idea is to 
simply take all finite chains of network links as the new network links; i.e., the paths 
through the old network become the links of the new network. The new network is then 
closed under composition: each path from u to v, as a composite of some links through 
other nodes, corresponds to a link from u to v. This amounts to generating the free 
category over the network graph. 

Unfortunately, besides the trust dissipation, described above, this kind of closure 
destroys a lot essential information in all networks, just like the transitive closure of 
a relation does. E.g., in a social network, a friend of a friend is often not even an ac- 
quaintance. Taking the transitive closure of the friendship relation obliterates that fact. 
Moreover, the popular "small world" phenomenon suggests that almost every two peo- 
ple can be related through no more than six friends of friends of friends. . . So already 
adding all paths of length six to a social network, with a symmetric friendship relation, 
is likely to generate a complete graph. In fact, the average probability that two of node's 
neighbors in an undirected graph are also linked with each other is an important factor, 



called clustering coefficient |32|. On the other hand, in some networks, e.g. of protein 
interactions, a link u — > v which shortcuts the links u — > w — > v often denotes a direct 
feed-forward connection, rather than a composition of the two links, and leads to essen- 
tially different dynamics. For all these reasons, only some "short" paths can be added 
to a network. This is assured by penalizing the compositions. 

As mentioned above, the ratings within R = [0, 1 ] are more convenient for analyzing 
the chains of trust, so we use it in the next couple of definitions. 

S d 

Definition 1. For a given endorsement network E = ([0, 1] ■* D ^ U), a trust 

Q 

threshold tj e [0, 1 ], and a composition penalty e e [0, 1 ], we define the path completion 
to be the network 

E* = ([0,1] ^— D* z=X U) where 

Q 

D # = \e e D + | 5(e) > 77} and 

n 

6(u u\ % u 2 -> • ■ ■ % u„) - e" _1 Y\ S(e k ) 

k=\ 

with D + denoting the set of all nonempty paths in E, i.e. n > 1. 

Remark. A path-complete network E # is closed under the compositions of high-trust 
endorsements, but not under the compositions which fall below the trust threshold. It is 
not hard to see that the path completion is an idempotent operation, i.e. E** = E # , but 
that it may fail to be a proper closure operation, because the endorsements e e E such 
that 6(e) < r\ are not in E # , so that generally E $£ E # . 



2.4 Completions of trust networks 

At the final step of completing a trust network, we bring the information captured in it 
into a more manageable form by folding the completion of the endorsement part into 
a new recommendation network. The trust matrix, extracted from this recommendation 
network in the same way as before, now captures not only the direct recommendations, 
but also a relevant part of indirect trust. 

Definition 2. Suppose that we are given a trust network T = (A, E) with 
A = ([0,1] J— B UxJ) 

E = ([0,1] D UxU) 

and moreover a trust threshold i] e [0, 1], and a composition penalty e € [0, 1]. The 
endorsement completion of T is the recommendation network 

A* = ([0,1] J— B # -^1 UxJ) where 
B* = {{e, c) e ^ D,* n , x B w | f3(e, c) > tj} and 

veU 

/3(u 4 v A 2) = 6(e) ■ /3(c) 



where D* v denotes the set of all paths in from u to v in E, including the empty path 
u — v, in which case 6(0) — 1. 

Assumption. In the rest of the paper, we work with recommendation networks A = A # , 
assumed to be endorsement complete. 

In the next section we analyze how individual users build their own trust vectors. 
The repercussions of this analysis to public trust networks are discussed in section[5] 

3 Privatetrust 

For intuition, we introduce the mathematical model of the process of trust building and 
updating in terms of an imaginary shopper trying out some web merchants. The model 
is, however, completely general, and we explain later that a recommender also builds 
his trust vector by an analogous process. 

3.1 Private trust vectors and their updating 

The shopper records her trust in a trust vector re R J . As the time t = 0, 1,2, . . . 
ticks, the shopper interacts with the shops, and subsequently updates r according to her 
shopping experiences. This evolution makes the trust vector into a stochastic process 
r : N — >- 2)(R J ), which expresses the likely distribution of shopper's trust at time 
t as the random variable r(f) € £)(R J ). The stationary distribution of the stochastic 
process r is the likely distribution of trust, which we would like to analyze. 

On the side of the recommenders, the shopper may also maintain a trust vector cr e 
R u . The idea that a trusted recommender recommends reliable merchants is expressed 
through the invariant r, = 2«eu °~uA U i, which should be maintained as t is updated. This 
makes cr : N — s~ £)(R U ) into another stochastic process. 

Initially, at t = 0, the shopper may assign all merchants the same trust rating t,(0) 
I : or she may assign each recommender the same trust rating <x„(l) = 1, and derive 



random variable X(t) e £)J selects the merchant with whom the shopper interacts at 
time t. We assume that X(0) is distributed uniformly at random, whereas the probability 
that the next shop X(t + 1) will be i e J is either proportional to the trust r,(f), or it 
is a fixed value or 6 [0, 1], if i has had a minimal trust rating, and selecting it means 
replacing it by a new, untested shop. Formally, 



where C(t) = ^ i s the normalization factor. The minimality of T;(?) means that for 
all j e J holds r,(f) < Tj(t). The a-case corresponds to shopper's habit to, every once in 
a while replace an untrusted shop, with a minimal rating, with a new, untested shop. 



t;(0) = 2„eu 

The stochastic process X : N 



£)J represents shopper's shopping history. Each 




(1) 



After the transaction with the merchant X(t + 1), the shopper updates her trust vector 
t(/) to r(f +1), depending on whether the merchant acted honestly or not: 

if i*X(t+ I) 
if ;' = X(t + 1) is dishonest 

if i = X(t + 1) is honest, and new (i.e., t,(/) was minimal) 
if i = X(t + 1) is honest, not new (i.e.,T,(f) not minimal) 

The interpretation of the third case is that the label i = X(t + 1) is reassigned from some 
untrusted merchant, which had a minimal trust rating r,(f), to a new merchant, whose 
initial trust rating is set to 1 if the initial transaction with was satisfactory. In the fourth 
case, the merchant i = X(t +1) was tried out before, and has accumulated a trust rating 
Tx(t+i), which is now increased to Tx(t+\){t + 1) = 1 + Tx(t+\){t) because of a satisfactory 
transaction. 

3.2 Private trust distribution 

If the trust ratings evolve according to the process just described, how will they, in the 
long run, partition the set J of merchants? How many merchants will there be with a 
trust rating of 1, how many with a trust rating of 2, and so on? More precisely, we want 
to estimate the likely number of elements in each of the sets W((f) = [i e J | T,(f) = (}, 
for ( G R, as the time / ticks ahead. So we set up a system of equations, describing the 
evolution of 

w t (t) = \{i e J | n{t) = t}\ 

where |Y| denotes the number of elements of the set Y. Note that the disjoint union is 
UfeRW^(f) = J, and therefore YjteP. w e(t) = J, where we write J = |J|. 

The initial values W((0) are determined by shopper's choice of t(0). If she sets 
t,(0) = 1 for all ; e J, then wi(0) = /. 

How does w\ change at the time f? We claim that 

wi(t + 1) - w\(t) = J ■ Prob(X(f + 1) = i \ t ; minimal) • y ± 
- wi(t) ■ Prob(X(f + 1) = i | Ti(t) = 1) 
= Jaji. - wi(f) • C(f) 

To justify this, note that the difference between Wi(f + 1) and Wi(f) comes about for 
one of the two reasons: 

- either i e J is added to Wi(t), because T;(/) was minimal, and X(t + 1) = ;' was 
selected, with the probability a to be replaced with a new shop from J; and then 
that new shop, now called ;, provided an honest transaction, the probability of which 
is so ;' is now assigned the trust rating r,(f + 1) = 1; 

- or ;' e J is deleted from W\(f), because T,-(f) was 1, and X(t +1) = i was selected 
from W\(f), with the probability C(t) • T,(f); after the transaction, i's trust rating was 
updated either to r,(f + 1) = 2 or to r,(f + 1) = 0, depending on whether he acted 
honestly or dishonestly; but ;' was deleted from Wi(t) in any case. 



Ti(t+l) = 



Ti(t) 


1 

1 + Ti{t) 



However, when the ratings I > 1 are updated, it will not be irrelevant whether i acts 
honestly or dishonestly. To describe dynamics of this process, we denote by jc e [0, 1] 
the probability that a shop with a rating I is honest. With the described process of trust 
updating, accumulating a high trust rating £ takes time. In order to get a high trust rating, 
a dishonest shop has to act honestly for a long time. It is therefore reasonable to assume 
that the probability \-jc that an ^-rated shop is dishonest decreases to as £ increases; 
i.e. that lim^co Jt = \. 

Rating dynamics is now 



The difference between Wc(t + 1) and Wt(t) again comes from two sources: 

- either i e J is added to Wc(t), because r,(f) was I — 1 and X(t + 1) = i was selected 
from We-i(t) with the probability C(f) • (( - 1); and then this i turned out to be 
honest, with the probability yt-i, so that r,(f +1) got updated to 1 + r,(f) = {; 

- or i € J is deleted from W((t), because T,(f) was I, and X(t + 1) = i was selected 
from Wc(t), with probability C(?) • {; if i acted honestly, his trust rating got updated 
to £ + 1 ; if he acted dishonestly, it got updated to 0; in any case, he got removed 
from W((t). 

Conceptually, the above derivations follow Simon's master equation method Oil . To 
simplify the solution, we use a more contemporary approach of [6 33 1 . First of all, we 
do not seek the solutions for the sizes wdf) of the sets W((t), but rather for the densities 
v e (t) = 2^2. Since £feR v e (f) = 1, for every t, the functions v ( _)(f) : R — ^ [0, 1] 
are probability distributions with a finite support. Together, they thus form a stochastic 
process v : N — >■ £)R, described by the difference equations 

Avi{t) = ay ± - C(0vi(0 

Av t {t) = y c -x({ - l)C(0v*_i(f) - {C(t)v t (t) 

As shown in the Appendix, the steady state of this process turns out to be 



where G„ = Yl"=\ Ye> me constant c satisfies - f w C(f) = ^77(7)' an< ^ ^ ' s Dirichlet's 
Beta function. But Stirling's formula implies that B(x,y) a x~ y holds as x — > oo. We 
have thus proven that, with a sufficiently fine trust rating scale, and with the probability 
of honesty jt increasing with the trust rating t fast enough, the trust ratings obey the 
power law H25I26I . 

In summary, we have proven the following: 

Theorem. A trustor maintains trust ratings for a set of J trustees. The ratings take their 
values from a sufficiently large set, so that they can strictly increase whenever justified. 
They are updated according to the following procedure: 



w e (t + 1) - w e (t) = w { -i(f) ■ Prob(X(f + 1) = i | t,(0 = I - 1) • y t -\ 
-w c {t) ■ Prob(X(f + 1) = 2 1 T,(f) = £) 
= we-iit) ■ C(t) ■({-!)■ y t -i - w c (t) ■ C(t) ■ £ 



qy± 

c+l 




— Initially, the tustor assigns some fixed ratings (e.g., equal) to all trustees. 

— Then the trustor repeatedly tests the trustees: 

• with a probability a, she tests an untested trustee, adds it to the set J, and 
deletes from it a trustee with the minimal rating; 

• otherwise, the turstor tests a previously tested trustee, with a probability pro- 
portional to its trust rating. 

— After each step, the trustor updates the trust rating ( of the tested trustee as follows 

• with a probability yt, she increases it (because of a satisfactory outcome of the 
test); 

• otherwise, she sets it to zero. 

If the probability yt of a satisfactory transaction with an (-rated trustee increases fast 
enough enough to satisfy < yt < 1 for some convergent series YjT=i s ( < °°> so tnat 
G — Y\T=i Yt > 0> tnen ' n tne l° n g run > tne number w n of trustees with the trust rating n 
obeys the power law 

ay ± GJ _ fl n 
c 

where c is a renormalising constant c as , and y x is the probability that an untested 
trustee will satisfy the test. 

Remarks. As explained in section lXTl the assumption that the trust can always increase 
does not mean that the trust ratings have to be unbounded: they can also increase asymp- 
totically. This assumption is only needed to assure that the process of trust building will 
not become irrelevant after some threshold is reached. In reality, of course, only finitely 
many interactions with finitely many shops can be taken into account, but there is a real 
sense in which the trust process can always be refined, and trust increased. 

The assumption that G — YYt=\ Yt > means that the probability 1 - yt, that a shop 
with a trust rating t is not trustworthy, quickly decreases as I increases. This assumption 
is not satisfied if many untrustworthy shops act honestly for a long time, waiting to 
accumulate trust, and then strike. If there are incentives for that, the heavy tail of the 
power component of w„ is trimmed by the exponential component G n = I~[" = i Yt> an d 
the distribution of trust is exponential. 

But this leads to a negative feedback: as they decrease the range of trust distribution, 
the dishonest trust hubs actually decrease the vulnerability of the network. The more 
persistent attackers there are, the higher the cost of an attack. 

Other interpretations. Although our model was described and motivated as shopper's 
trust process, it seems likely that the stochastic process governing recommender's trust 
vector would be of the same type. The main difference is, of course, that the recom- 
mender does not select and test the merchant himself, but builds his trust vector from 
the merchant ratings that he obtains as the feedback from the shoppers. However, a 
shopper who comes back to submit the feedback is probably the same one who pre- 
viously came to obtain recommender's recommendation. And it is furthermore just as 
likely that the shopper has selected the merchant following that recommendation. So 
the selection of the merchant whose trust rating will be updated at a time t + 1 was 
guided by recommender's trust vector at time t, just as it was the case with shopper's 
trust dynamics. 



3.3 Robustness and vulnerability of private trust 



The upshot of the Theorem just proved is that there is a great variety of trust ratings: 
the distribution has a heavy tail. Money attracts money, and trust attracts more trust. 
As you extend the circle of merchants and the rating scale, you will find merchants 
with higher and higher trust rating. This applies to user's private trust vectors t and 
cr, as well as to recommender's public trust vectors, displayed as the rows of the rec- 
ommendation matrix A = (A„,)u x j- Moreover, although we did not describe dynamics 
of an endorsement network here, it seems certain that it also leads to a distribution of 
recommenders' influence, obeying the power law. The reason is that the endorsement 
dynamics is quite similar to promotion dynamics, described in [28 1, which is a version 
of one of the processes studied in Simon's seminal paper about the power law OP . 

The structure and the properties of the distributions that obey the power law have 
been extensively analyzed [25 26 27 1. As mentioned in the Introduction, because of the 
presence of highly rated hubs, such distributions tend to be robust under random per- 
turbations, but vulnerable to adaptive attacks on their hubfl Leaving the mathematical 
details aside, the security consequence is that the power law distributions work for the 
attacker, he only needs to attack a small number of nodes of high ranking, in order 
to gain control over a large part of the system. This phenomenon has been previously 
demonstrated on toy models of trust networks, involving the bottleneck nodes [ 19 1. Al- 
though the recommender networks, currently deployed on the Web, still do not form 
a large network, the same phenomenon — that the main trust hubs become increas- 
ingly unreliable — has also been observed in practice: e.g., (8) describes some extreme 
examples. 



4 Conclusions 



The obvious security lessons, arising from our analyses, and supported by the empiric 
observations are thus: 

- Trust decisions should not be derived from public trust recommendations alone. 
They should be based on private trust vectors, that the user should maintain herself. 

- Public trust recommendations should be used to supplement and refine private trust. 



3 One way to make this statement precise is to build a random graph with the given trust distribu- 
tion as the degree distribution. The methods of 1 1| can serve for this purpose. The edges of the 
obtained graph can be interpreted as the interactions recorded in nodes' trust ratings. The trust 
hubs would then be the graph hubs in the usual sense: highly connected nodes. The robustness 
would manifest itself as a high phase transition: the graph remains connected even when many 
randomly selected edges are eliminated; and the fragility would mean that the graph falls apart 
very easily if some of the hubs are removed. 



5 Towards applications: 

Combining private trust and public recommendations 



Hoping that the gentle reader will not be too disturbed by the fact that the paper con- 
tinues beyond its conclusion^ in this final section we sketch some ways to implement 
these conclusions. We propose for further exploration two methods for a user of a trust 
network to combine her private trust vectors with some public recommendations, in or- 
der to obtain more informative trust guidance. Although we attempt to provide intuitive 
explanations, understanding the technical details of these condensed ideas may require 
some familiarity with LSI and with the vector model. 

5.1 Trust communities 

It is often emphasized that trust is relative to a community, or more generally to a 
module ll28l within a network: e.g., a criminal may be trusted within the community 
of criminals, but not within a community of security researchers, and vice versa. The 
members of the same community can be recognized by similar trust vectors, or recom- 
mendations. 

In this section, we briefly summarize how a recommendation matrix can be used to 
recognize communities in the space of recommenders on one hand, and in the space of 
merchants on the other. The merchants which deserve to be trusted for the same type of 
services are likely to be highly recommended by the same recommenders. This groups 
them into communities. The user can refine his trust by computing how much he trusts 
each community, and how is his trust distributed within each of them. While the public 
trust recommendations may be unreliable, and better not followed directly, they pro- 
vide reliable and valuable information about the trust communities. By relativizing the 
private trust over the trust communities, the user can obtain significantly more precise 
guidance, distinguishing between the various forms of trust in the various communities, 
even in the model where the entrusted properties are kept implicit. 

By suitably renormalizing the data, the similarity between the trust vectors tp and 
if/ e R J can be viewed as the angle between the induced recommender vectors 

&(<p, i//) = {Aip | Atff) 

where (x\y) = 2ieu x vyv is the inner product in the space R u . The angle is often used as 
the similarity measure in information retrieval and data mining [22 J. It should be noted 
that it leads to subtle statistical problems, if applied to diverse samples [29|. The trust 
communities, as the subspaces of similar vectors within R J , can be detected by spectral 
methods, using the data mining technique of Latent Semantic Indexing (LSI) [7 1 61291 . 
The idea is to look for the vectors £ where s(£, £) attains the extremal values. Since the 
transpose A T satisfies (Aip \ Axjj) - (if \ A T Ai(r), the similarity can be also be expressed as 
s(ip, tfi) = (<p | A T Aif/). The extremal values of s(£, = | A T A%) can thus be found as 
the eigenvalues \A\ > A% > ■ ■ ■ > A„,} of A T A. The communities are the corresponding 
eigenspaces, described by the projectors {Pi, . . . , P m ). 



A reviewer of a version of this paper where the above conclusions were not separated in their 
own section, objected that the paper ended abruptly, without any conclusions. 



There are at least two ways to refine private trust t using the trust communities 
{Pu...,P m l 

Community specific private trust. Instead of using his trust vector t e R J to select 
the trusted objects, the user can compute the community specific trust vectors 

r k = Put 

obtained by projecting r into each of the eigenspaces Pk,k= l,...,m, i.e. by relativiz- 
ing it to the dominant merchant communities. In this way, even if the trust relations 
A — > B are not explicitly annotated by the entrusted properties <t>, the user can refine 

his trust decisions by recognizing the "latent" entrusted properties, uncovered as the 
dominant trust communities \P\, . . . ,P m ). 

Personalized recommendation matrix. Intuitively, the spectrum {A x > A 2 > ■■ ■ > A m ) 

expresses a notion of cohesion, i.e. the strength of the mutual trust within each of the 
communities {Pi , P2, ■ . . , P m ). On the other hand, the degree to which a user with a trust 
vector t trusts a community Pk can be measured by the similarity s(t, t*) = (r | fVr). 

The Singular Value Decomposition (SVD) theorem tells that the spectral decom- 
position A T A = Ylk=\ foPk induces A = Y!k=\ f° r the suitable operators Ilk. 
The personalized recommendation matrix, remixed according to the community trust 6 
induced by user's trust vector t is then A T = Ylk=\ V( T IAi"}/7/;- Using this private ma- 
trix is equivalent to using the community specific trust vectors, within each of the trust 
communities; but it also allows evaluating trust for combinations of communities. 
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Appendix: The steady state of the trust process 

The trust process v : N — >- £)R is described by the difference equations 

Av x {t) = ay x -C(0vi(0 

Av { {t) = yt-i{l - l)C(f)v,-i(r) - C{t)tv t {t) 

Recall, first of all, from section [11] that C(t) = where S(t) = "*",(?)■ The dy- 
namics of r, described at the end of section [3Tl implies that 

S (t + 1) = Yj t *(0 + 7x(j+i) (1 + T X (,+i)(0) + ory x 

where y± is the probability that a shopper is satisfied after an interaction with a new 
shop. It follows that 

AS(t) = rx(r+i) - (1 - yx(i+\))Tx(t+\){t) + oT-l ~ 1 + «r± 

is approximately constant and thus S(t) a (1 +aj ± )t. Hence C{t) * |, where c = . 

With this simplification, and with the martingale assumption of ll33ll satisfied, the 
solutions of the above system of difference equations can be approximated by the solu- 
tions of the corresponding differential system 

dv\ c 

= ay± - V] 

at t 

dv e __ y t -\c{l- l)v^-i - c€v e 
dt ~ t 

where the discrete time variable t has been made continuous. The steady state of the 
stochastic process v : R — >■ DR can now be found in the form V[(t) = t ■ vt , by 
expanding the recurrence 



V\ = ay ± - cv\ 

vt = Ji-\c(f - - c£v e 



into 



which further gives 
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